Knowledge-based authentication (KBA) is a premium second-factor authentication method that secures a high-level verification of identity. KBA is only valid for vetting the identity of US-based recipients.
The authentication process challenges the recipient to enter their first and last name in addition to their home address. The recipient may optionally enter the last four digits of their US social security number.
The information entered is used to query multiple public databases, generating a list of three to four nontrivial questions for the recipient.
Once the authentication is passed, the recipient is granted access to view and interact with the agreement.
If the recipient closes out the agreement for any reason before completing their action, they will have to re-authenticate.
To secure against brute force attempts to authenticate, the KBA method can be configured to cancel the agreement after a defined number of failed attempts.
Knowledge Based Authentication is available to the business and enterprise service plans only.
KBA is a premium authentication method that has a per use charge.
Knowledge Based Authentication is a service provided through a partnership powered by InstantID Q&A from LexisNexis.
The challenge page is an iframe to the LexisNexis service. All recipient data entered and returned during the authentication process exists solely within the LexisNexis frame, and never transits the Adobe Sign service.
Once LexisNexis verifies the recipient, an authentication token is passed to Adobe Sign approving access. The tokenID is stored in the Audit Report as part of the successful authentication record.
When KBA is enabled, the sender can select it from the Authentication drop-down just to the right of the recipient's email address:
An optional configuration of the KBA method may require that the sender insert the recipient's Name.
This option ensures that the name of the recipient remains consistent throughout the lifespan of the transaction.
If KBA is not an option for the sender, then the authentication method is not enabled for the group from which the user is sending.
As a premium authentication method, KBA transactions must be purchased and available to the account before agreements can be sent with KBA configured.
KBA transactions are consumed on a per-recipient basis.
e.g., An agreement configured with three recipients authenticating by KBA consumes three authentication transactions.
Configuring an agreement with multiple recipients decrements one transaction for each recipient authenticating by KBA from the total volume available to the account.
Track available volume
To monitor the volume of KBA transactions available to the account:
KBA transactions are an account-level resource.
All groups that enable KBA consume their volume from the same communal pool of transactions.
A successful KBA identity verification is explicitly logged in the audit report with the authentication token provided by LexisNexis.
If the agreement is canceled due to the recipient being unable to authenticate, the reason is explicitly stated:
Knowledge-based authentication has two sets of controls, which are available to be configured at the account and group levels:
The option to use knowledge based authentication can be enabled for senders by navigating to Send Settings > Identity Authentication Methods
Email templates, like the post-signature verification to the recipient, can contain a link to the original agreement on the Adobe Sign servers:
By enabling the Use KBA when viewing the agreement after it has been signed setting, any attempt to access the agreement via link will be challenged to re-authenticate the recipient's identity via KBA.
The challenge process is exactly the same as the original recipient authentication process:
The agreement will not open for viewing until the KBA is properly resolved.
There is no option to edit or disable the authentication after the recipient has signed and completed their action.
Knowledge Based Authentication has three configurable options that can be found on the Security Settings page:
If you do not see the settings available in your menu, verify that the authentication method is enabled on the Send Settings page
If the settings restrict the number of KBA authentication attempts, and the recipient fails to authenticate that number of times, the agreement is automatically canceled.
The agreement's originator is sent an email announcing the cancelation with a note identifying the recipient that failed to authenticate.
No other parties are notified.